Advertisement
Guest User

zorp https config

a guest
Feb 21st, 2016
65
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ############################################################################
  2. ##
  3. ## Copyright (c) 2000-2015 BalaBit IT Ltd, Budapest, Hungary
  4. ##
  5. ##
  6. ## This program is free software; you can redistribute it and/or modify
  7. ## it under the terms of the GNU General Public License as published by
  8. ## the Free Software Foundation; either version 2 of the License, or
  9. ## (at your option) any later version.
  10. ##
  11. ## This program is distributed in the hope that it will be useful,
  12. ## but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. ## GNU General Public License for more details.
  15. ##
  16. ## You should have received a copy of the GNU General Public License along
  17. ## with this program; if not, write to the Free Software Foundation, Inc.,
  18. ## 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  19. ##
  20. ############################################################################
  21.  
  22. # sample firewall policy with transparent access to HTTPS servers.
  23.  
  24. from Zorp.Core import *
  25. from Zorp.Http import *
  26. from Zorp.Encryption import *
  27. from Zorp.Keybridge import X509KeyBridge
  28.  
  29. #
  30. # Let's define a transparent https proxy, which bridges X509
  31. # CAs and certificates
  32. #
  33. class HttpsProxyKeybridge(HttpProxy):
  34. key_generator=X509KeyBridge(
  35. key_file="/etc/zorp/keybridge/key.pem",
  36. key_passphrase="passphrase",
  37. cache_directory="/var/lib/zorp/keybridge-cache",
  38. trusted_ca_files=(
  39. "/etc/zorp/keybridge/ZorpGPL_TrustedCA.cert.pem",
  40. "/etc/zorp/keybridge/ZorpGPL_TrustedCA.key.pem",
  41. "passphrase"
  42. ),
  43. untrusted_ca_files=(
  44. "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.cert.pem",
  45. "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.key.pem",
  46. "passphrase"
  47. )
  48. )
  49.  
  50. def config(self):
  51. HttpProxy.config(self)
  52. self.require_host_header=FALSE
  53. self.ssl.handshake_seq=SSL_HSO_SERVER_CLIENT
  54. self.ssl.key_generator = self.key_generator
  55. self.ssl.client_keypair_generate=TRUE
  56. self.ssl.client_connection_security=SSL_FORCE_SSL
  57. self.ssl.client_verify_type=SSL_VERIFY_OPTIONAL_UNTRUSTED
  58. self.ssl.server_connection_security=SSL_FORCE_SSL
  59. self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED
  60. self.ssl.server_ca_directory="/etc/ssl/certs"
  61. self.ssl.server_trusted_certs_directory="/etc/zorp/certs"
  62.  
  63. #
  64. # The name of this function is passed to the Zorp binary with the --as
  65. # command line option.
  66. #
  67.  
  68. # zorp_https instance
  69. def zorp_https():
  70. Service(name="https", proxy_class=HttpsProxyKeybridge)
  71.  
  72. Rule(service='https', dst_port=[443, ])
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement